A study identifies 85 domains and 28 IPs that serve as platforms for stolen card data and shows the use of bulletproof hosting and special domain extensions.
A new report reveals the technical infrastructure behind a global network of illegal credit card markets. The findings provide prosecutors with a blueprint for countermeasures.
Cybersecurity experts have uncovered the technical basis of a global network of illegal credit card markets. A study by Team Cymru identified 85 specific domains and 28 IP addresses that serve as trading platforms for stolen card data. The findings, released this week, provide law enforcement and financial institutions with a rare, detailed map of the infrastructure that enables millions of dollars in global fraud.
The “bulletproof” infrastructure of cybercriminals
Table of Contents
The research, conducted between July and December 2025, shows how cybercriminals maintain their operations despite frequent raids. According to the report, the identified infrastructure relies heavily on so-called „Bulletproof“-Hosting-Provider. These services deliberately ignore reports of abuse and refuse to cooperate with international investigators.
Advertisement
Related to the topic: Investigators find networks that systematically trade stolen credit card data. Many companies and financial service providers are not sufficiently prepared for such infrastructure attacks. A free eBook explains current threat images, how attackers use bulletproof hosting and IoCs, and provides immediate actionable actions to protect your networks, logins, and payment APIs. Ideal for IT managers and security teams. Get the free guide “Cyber Security Awareness Trends”.
As a recurring host of such operations, the provider Privex identified, which markets itself as a “data protection-oriented” infrastructure service. Such providers often allow customers to rent virtual servers (VPS) anonymously – without proof of identity and against payment in cryptocurrency. This anonymity makes it much more difficult for authorities to track the people behind the marketplaces. By hosting their login portals and forums on these resilient servers, operators ensure that their “shops” stay online, even if individual domains are seized.
Strategic domain choice: .SU, .CC and .RU
A striking aspect of the findings is the continued use of specific Top-Level-Domains (TLDs)to avoid shutdowns. The research highlights a strategic preference for .su, .cc and .rudomains stand out among the operators.
The domain .suoriginally assigned to the Soviet Union, is still active decades after its dissolution. Experts say it has become a hotbed for cybercrime due to its notoriously lax registration policy and lack of effective oversight. The .ccdomain (technically assigned to the Cocos Islands) is also popular: it is cheap to register in large quantities and also serves as a handy abbreviation for “credit card” in underground jargon.
The use of .rudomains offers another advantage: it insulates the sites from Western legal processes. Servers and domains registered in Russia are often beyond the reach of US or European court orders. This creates a legal shield that makes cross-border investigations much more difficult.
Proactive detection before launch
The discovery of these 85 domains was made possible through a proactive scanning method by the research team. Instead of waiting for fraud reports, the analysts used Internet-wide Fingerprinting techniquesto detect the credit card servers the moment they came online.
By scanning specific HTTP and HTTPS titles on ports 80 and 443, researchers were able to identify servers broadcasting telltale keywords such as “CVV,” “dumps,” “carding,” or “shop.” This approach allowed the team to capture the real IP addresses of the servers during their initial configuration phase – often before the operators behind them Content Delivery Networks (CDNs) or services like Cloudflare.
This visibility before complete obfuscation is crucial. Once a site is fully operational and protected by a CDN, its origin IP is masked, making physical location extremely difficult. Data collected during this window of vulnerability provides actionable intelligence to contact hosting providers or block traffic at the network level.
Thriving black market with fixed prices
The infrastructure uncovered today supports a thriving underground economy. The study describes how these platforms function as sophisticated e-commerce sites – complete with shopping carts, customer support and return policies for “dead” cards.
Stolen credit card information known as „Dumps“ (copied from magnetic stripe) or „CVVs“ (for online purchases), are a fixed price commodity. Market analysis shows that stolen card prices currently range from $5 to $150. Costs vary depending on the credit limit, the issuing bank, and whether additional victim information, such as dates of birth or billing addresses, is included that facilitates identity theft. The 85 identified domains serve as a showcase for this trade and connect wholesalers with data thieves and petty criminals who “cash out” the stolen goods.
An ongoing game of cat and mouse
The publication of these findings is a significant step for the defenders, but experts warn: the situation is dynamic. While identifying the domains and IPs provides immediate targets for takedown action, the card groups are known for their resilience.
Industry analysts expect that the discovery of these hosting patterns will force perpetrators to migrate to new infrastructure providers or use more sophisticated obfuscation methods in the coming months. However, the methodology demonstrated by Team Cymru – tracking the infrastructure build phase rather than finished sites – provides a blueprint for future investigations. Financial institutions will do this Indicators of Compromise (IoCs) expected to integrate immediately into their fraud detection systems. This could block connections to these fraudulent merchants before transactions even take place.
Advertisement
PS: Would you like to detect attacks like those in this report early? The free guide shows practical steps – from proactive scanning to phishing defense and employee training – to help you prevent costly fraud. Get concrete checklists and action steps for SMEs and IT teams now. Download the free cyber security guide
